()
| 77 | } |
| 78 | |
| 79 | export function subprocessEnv(): NodeJS.ProcessEnv { |
| 80 | // CCR upstreamproxy: inject HTTPS_PROXY + CA bundle vars so curl/gh/python |
| 81 | // in agent subprocesses route through the local relay. Returns {} when the |
| 82 | // proxy is disabled or not registered (non-CCR), so this is a no-op outside |
| 83 | // CCR containers. |
| 84 | const proxyEnv = _getUpstreamProxyEnv?.() ?? {} |
| 85 | |
| 86 | if (!isEnvTruthy(process.env.CLAUDE_CODE_SUBPROCESS_ENV_SCRUB)) { |
| 87 | return Object.keys(proxyEnv).length > 0 |
| 88 | ? { ...process.env, ...proxyEnv } |
| 89 | : process.env |
| 90 | } |
| 91 | const env = { ...process.env, ...proxyEnv } |
| 92 | for (const k of GHA_SUBPROCESS_SCRUB) { |
| 93 | delete env[k] |
| 94 | // GitHub Actions auto-creates INPUT_<NAME> for `with:` inputs, duplicating |
| 95 | // secrets like INPUT_ANTHROPIC_API_KEY. No-op for vars that aren't action inputs. |
| 96 | delete env[`INPUT_${k}`] |
| 97 | } |
| 98 | return env |
| 99 | } |
no test coverage detected